Compile payload

Last updated 7 months ago

Was this helpful?

Compile payload

Compiling payload on the local host which is going to be executed on a remote victim often comes errors in form of version mismatch. Below is a quick way to solve it.

Debian-based (`glibc`)

Find information about the target.

aas@Leakage:/tmp$ cat /etc/os-release  | grep -i pretty
PRETTY_NAME="Ubuntu 18.04.3 LTS"

aas@Leakage:/tmp$ ls -al /lib/x86_64-linux-gnu/libc.so.6
lrwxrwxrwx 1 root root 12 Apr 16  2018 /lib/x86_64-linux-gnu/libc.so.6 -> libc-2.27.so

Create a Dockerfile with the same image or libc-version.

Ubuntu images:

## Dockerfile
FROM ubuntu:18.04 as dev

## Install build-essential and copy files to container
RUN apt update && apt install -y build-essential
WORKDIR /src
COPY . /src/

## Build the binary
FROM dev as build
RUN CGO_ENABLED=0 gcc -o cve exploit.c

## Copy binary from container to host
FROM scratch as artifact
COPY --from=build /src/cve ./cve

FROM release

Build the payload using DOCKER_BUILDKIT

utv-kali :: /tmp/test » DOCKER_BUILDKIT=1 docker build --target artifact --output type=local,dest=. . --network=host
[+] Building 12.4s (11/11) FINISHED                                                                                                                           
 => [internal] load build definition from Dockerfile                                                                                                     0.0s
 => => transferring dockerfile: 460B                                                                                                                     0.0s
 => [internal] load .dockerignore                                                                                                                        0.0s
 => => transferring context: 2B                                                                                                                          0.0s
 => [internal] load metadata for docker.io/library/ubuntu:18.04                                                                                          0.5s
 => [internal] load build context                                                                                                                        0.0s
 => => transferring context: 483B                                                                                                                        0.0s
 => CACHED [dev 1/4] FROM docker.io/library/ubuntu:18.04@sha256:152dc042452c496007f07ca9127571cb9c29697f42acbfad72324b2bb2e43c98                         0.0s
 => [dev 2/4] RUN apt update && apt install -y build-essential                                                                                          11.8s
 => [dev 3/4] WORKDIR /src                                                                                                                               0.0s 
 => [dev 4/4] COPY . /src/                                                                                                                               0.0s 
 => [build 1/1] RUN CGO_ENABLED=0 gcc -o cve exploit.c                                                                                                   0.1s 
 => [artifact 1/1] COPY --from=build /src/cve ./cve                                                                                                      0.0s 
 => exporting to client                                                                                                                                  0.0s 
 => => copying files 13.16kB                                                                                                                             0.0s
 
utv-kali :: /tmp/test » ls -al
total 28
drwxrwxr-x  2 void void   100 Nov  2 14:22 .
drwxrwxrwt 39 root root   860 Nov  2 15:55 ..
-rw-rw-r--  1 void void   342 Nov  2 14:17 Dockerfile
-rwxr-xr-x  1 void void 13136 Nov  2 14:03 cve
-rw-rw-r--  1 void void  6312 Nov  2 13:08 exploit.c

Alpine-based (`libc.musl`)

## Dockerfile
FROM frolvlad/alpine-glibc:glibc-2.27 as dev

## Install builder-base and copy files to container
RUN apk add build-base
WORKDIR /src
COPY . /src/

## Build the binary
FROM dev as build
RUN CGO_ENABLED=0 gcc -o cve exploit.c

## Copy binary from container to host
FROM scratch as artifact
COPY --from=build /src/cve ./cve

FROM release

Build the payload with the same commands as in the above example.

Last updated 7 months ago

Was this helpful?

Compiling payload on the local host which is going to be executed on a remote victim often comes errors in form of version mismatch. Below is a quick way to solve it.

Debian-based (`glibc`)

Find information about the target.

aas@Leakage:/tmp$ cat /etc/os-release  | grep -i pretty
PRETTY_NAME="Ubuntu 18.04.3 LTS"

aas@Leakage:/tmp$ ls -al /lib/x86_64-linux-gnu/libc.so.6
lrwxrwxrwx 1 root root 12 Apr 16  2018 /lib/x86_64-linux-gnu/libc.so.6 -> libc-2.27.so

Create a Dockerfile with the same image or libc-version.

Ubuntu images:

## Dockerfile
FROM ubuntu:18.04 as dev

## Install build-essential and copy files to container
RUN apt update && apt install -y build-essential
WORKDIR /src
COPY . /src/

## Build the binary
FROM dev as build
RUN CGO_ENABLED=0 gcc -o cve exploit.c

## Copy binary from container to host
FROM scratch as artifact
COPY --from=build /src/cve ./cve

FROM release

Build the payload using DOCKER_BUILDKIT

utv-kali :: /tmp/test » DOCKER_BUILDKIT=1 docker build --target artifact --output type=local,dest=. . --network=host
[+] Building 12.4s (11/11) FINISHED                                                                                                                           
 => [internal] load build definition from Dockerfile                                                                                                     0.0s
 => => transferring dockerfile: 460B                                                                                                                     0.0s
 => [internal] load .dockerignore                                                                                                                        0.0s
 => => transferring context: 2B                                                                                                                          0.0s
 => [internal] load metadata for docker.io/library/ubuntu:18.04                                                                                          0.5s
 => [internal] load build context                                                                                                                        0.0s
 => => transferring context: 483B                                                                                                                        0.0s
 => CACHED [dev 1/4] FROM docker.io/library/ubuntu:18.04@sha256:152dc042452c496007f07ca9127571cb9c29697f42acbfad72324b2bb2e43c98                         0.0s
 => [dev 2/4] RUN apt update && apt install -y build-essential                                                                                          11.8s
 => [dev 3/4] WORKDIR /src                                                                                                                               0.0s 
 => [dev 4/4] COPY . /src/                                                                                                                               0.0s 
 => [build 1/1] RUN CGO_ENABLED=0 gcc -o cve exploit.c                                                                                                   0.1s 
 => [artifact 1/1] COPY --from=build /src/cve ./cve                                                                                                      0.0s 
 => exporting to client                                                                                                                                  0.0s 
 => => copying files 13.16kB                                                                                                                             0.0s
 
utv-kali :: /tmp/test » ls -al
total 28
drwxrwxr-x  2 void void   100 Nov  2 14:22 .
drwxrwxrwt 39 root root   860 Nov  2 15:55 ..
-rw-rw-r--  1 void void   342 Nov  2 14:17 Dockerfile
-rwxr-xr-x  1 void void 13136 Nov  2 14:03 cve
-rw-rw-r--  1 void void  6312 Nov  2 13:08 exploit.c

Alpine-based (`libc.musl`)

Useful images:

## Dockerfile
FROM frolvlad/alpine-glibc:glibc-2.27 as dev

## Install builder-base and copy files to container
RUN apk add build-base
WORKDIR /src
COPY . /src/

## Build the binary
FROM dev as build
RUN CGO_ENABLED=0 gcc -o cve exploit.c

## Copy binary from container to host
FROM scratch as artifact
COPY --from=build /src/cve ./cve

FROM release

Build the payload with the same commands as in the above example.